Wallet Drainers: a +300 Million Crypto Scam-as-a-Service Industry
When the scam-as-a-service wallet drainer infiltrated the crypto world, bells should have rung, alarms blared, and the heavens should have parted, as if the crypto god himself descended to forewarn the community of an impending paradigm shift.
One where navigating the treacherous waters of crypto would become nearly impossible, as the ability to drain crypto wallets became accessible to all.
Unfortunately, no such forewarning occurred, leading us to the present moment.
In 2023 alone, these scam-as-a-service crypto wallet drainers siphoned off $300 million from the pockets of 320,000 unsuspecting users.
In the first two months of 2024, they have already drained $104 million.
They wear different names.
Deceitful ones like “Angel” or “Pink,” meme-like ones like “Monkey,” or very explicit ones like “Inferno.”
Although “Pink Drainer” is not a name that should strike fear into the heart of anyone, do not be mistaken; SAAS drainers are a crypto monster that has been wreaking absolute havoc in the lives of crypto retail investors, although most of them have never heard of them.
When the community remembers the seismic shock that made the entire DeFi ecosystem wobble in December 2023 — the Ledger Connect Kit Hack — how many of them know that it was an Angel Drainer trick?
So today, we will delve into how these invisible yet omniscient entities operate and how they managed to have such a fruitful phishing year in 2023!
1 — Scam-as-a-Service, The Democratization of Crypto Phishing Scams
When, in the old days, one needed to be blockchain-savvy to be able to construct a tool from scratch so that in two clicks their victims’ wallet could be drained, SAAS broke down this barrier.
So that all, even you reader, could be able to create a flourishing crypto phishing scam business.
It’s not even said in jest.
SAAS: Fraud at the Fingertips of Everyone
In its most coarse and unsophisticated expression, to implement a phishing scam you only need an “anonymous” website, a simple google search and you will find tons of websites at the ready to help you create it in less than 10 steps. Then you only have to design a crude landing page which are the standards for crypto scams as their “phishing hook” pertain to giveaways, airdrops or mints which are often a landing page affair by legit actors too.
The last step is to hide your drainer behind the “claim your airdrop” button and voilà!
That’s how (schematically) your average Joe can turn into a high-caliber crypto fraudster!
Now, let’s rewind a bit.
How one comes by a crypto wallet drainer kit?
As for everything scammy under the Milky Way’s sun, you will find it on Telegram.
Telegram, aptly named the “Scammers Paradise,” is where the crews behind those crypto phishing kit openly sell them to all and asundry!
As per cybersecurity firm Guardio Labs’ latest report, when once to have access to scam tools one had to got through hoops and loops like succeeding in having access in “only on invite-only forums in the Dark web, hidden behind Tor Onion networks.”
Today, no such hassle exists.
You only need to type what you’re looking for in Telegram’s search bar and you’re ready to embark in your criminal journey:
“This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims’ data. Free samples, tutorials, kits, even hackers-for-hire — everything needed to construct a complete end-to-end malicious campaign.” — Guardio Labs
In their research, Guardio even demonstrated how they were able to mount a “successful mass attack” for $230.
The SAAS’s Business Model
Pink Drainer, Angel Drainer, Inferno Drainer, new drainer on the block MS Drainer, and the likes seems to have adopted the same business model.
They offer to individuals and phishing teams that allow them to drain crypto wallets on a turnkey basis, for an initial hefty deposit and claiming a 20–30% cut of the future phishing loot.
In blockchain security firm Slowmist’s report on Angel Drainer, it was revealed that it demanded from its “customers” $40,000 deposit along with a 20% fee justified by the wholesome phishing service offered by Angel Drainer like automatic site cloning tool with linked drainer, multiple chains supports,…
As illustrated by this Angel Drainer’s “ad”:
Accordingly to Scam Sniffer report, in 2023, their drainer fees allowed those crypto SAAS to bank in at least $47 million.
One must admit that’s quite the genius criminal plan.
The masterminds behind these drainers need to do absolutely nothing to rake in the cash.
They never endanger their own safety and anonymity while their customers are the ones investing time in mounting and running sometimes very expensive phishing scam campaigns and taking the risk to be exposed.
An Ever Changing Landscape
Although crypto wallet drainers are extremely lucrative, the SAAS players are ever changing.
One of the most well-known, if not the first recorded SAAS crypto wallet drainer, Monkey Drainer was active from August 2022 to February 28th, 2023.
After a $16 million successful run, made from more than 18,000 victims and a 30% cut, the Monkey Drainer crew closed up the shop after they were exposed by crypto-sleuth ZachXBT.
Probably trying to escape the spotlight, they announced their “retirement” with plenty of dramatic flair:
Now, did they really retire or did they choose to rebirth themselves under a new name? Only time will tell.
Venom and Pussy Drainers that appeared just a month before Monkey Drainer’s retirement were able to claim their brutally abandoned customers.
In the month following the disappearance of Monkey Drainer, at least four drainer crews invested the landscape: Inferno Drainer, MS Drainer, Pink Drainer and Angel Drainer, while Venom disappeared in April 2023.
In November 2023, the most damaging wallet drainer kit of crypto history, Inferno Drainer, announced that they would also retire!
“A big thank you to everyone who has worked with us. We hope you can remember us as the best drainer that has ever existed and that we succeeded in helping you in the quest to make money. Goodbye.” — Inferno Drainer
But, this time around, breaking with their forefathers’ tradition, they choose not to shut down.
All files, servers, and devices related to their kit would keep running so that their faithful customers would have the time to transition smoothly to a new wallet drainer.
The direct consequence of this move is that since their retirement, with no date annouced for the final unplug, scammers kept on actively using it, and have reaped in two months about $30 million, stolen from around 40,000 new victims.
As seen in the schema below, one alarming trend linked to those SAAS; is the steep increase in phishing scams deployed.
The scale and speed have escalated alarmingly. For instance, Monkey drained $16 million over a span of 6 months, while Inferno Drainer outpaced this significantly, looting $81 million in just 9 months.
Thus, a terrifying growth in ill-acquired funds. Comparatively, it took the Monkey Drainer kit six months to drain $16 million, while the Inferno Drainer is on the verge of breaking the $100 million threshold while not even running for 10 months.
Today, crypto SAAS makes almost five times more in a month, than a year ago.
Although incredibly impressive by the extent of its criminal success, the Inferno Drainer crew is not the most intriguing.
This title is owned by the Angel Drainer.
Angel Drainer, a Different Actor?
As explained earlier, those SAAS are pure criminal genius because the crews behind have to substantially do nothing.
Now, for reasons unknow, seemingly Russian-based drainer, Angel does not hesistate in dirtying its own hands.
We do not know if they are motivated by greed or more, but their direct involvement in the Ledger Connect kit hack is of note.
According to blockchain security firm SlowMist, Angel Drainer was not only used as a SAAS tool, but the team behind it orchestrated the whole affair by compromising the hundreds of DeFi protocols which used the Ledger Connect Kit, and draining over $600,000 in a two hour period.
Although $600,000 heist may seem laughable oppposedly to the half a billion hacks seen in the crypto space, this short hack (two hours) was extremely impactful by its scale, with hundred of protocols involved, and by the targets chosen: Ledger, an actor that has been the ultimate blockchain security powerhouse for years, and its tool that has been structural to countless mainstream and respected crypto actors.
For hours, the whole community was literaly frozen.
No one dared to even blink, terrorized by the idea of losing everything.
The shock value of this hack was immeasurable.
So, what does it signify?
Is the Angel Drainer on the path to evolving from a “passive” devilish tool to an active crypto villain?
The answer can only be awaited.
But there is one question to which we have the answers.
SAAS kits are just that. Their existence itself does not explain how they were able to be at the heart of a $300 million wallet heist of 2023.
2–2023, The Perfect Landscape For Crypto Phishing Scammers
We discussed in the first half how scam/drainer-as-a-service facilitated a significant shift in the crypto criminal topography by providing access to the crypto space even to non-crypto savvy aspiring criminals.
This is not only true for newcomers but also enables Web2 scammers to bridge the technology gap and enter the Web3 space, with its fat crypto wallets ripe for exploitation.
Those kits likely caused an influx of new scammers into the space for which crypto wallet draining was now at their fingertips and consequently increasing by leaps and bounds the frequency and magnitude of such incidents.
But there were also other circumstances that explain away the vertigo- inducing loss we must thank them for.
Methodology
The fraudsters only need to lure their victims through Google and Twitter phishing ads, mass spam on social media, phishing links in hacked Discord or Twitter accounts, or through social engineering and direct messages (DMs) on social media platforms, and the deal is done.
If an individual click on the link in a scammy Twitter post, they have most likely FOMOed and have convinced themselves that the airdrop is legit.
We discussed in detail what is psychologically at play when a person is faced by an opportunity to get rich quick:
In short, nothing could be easier.
And it has been made even easier with the takeover of Twitter by Elon Musk, with the introduction of the blue/gold check account as well as a less strict attitude on who can run ads on their platform. Now they freely promote their phishing scams on their platform, as well as efficiently impersonate an account by buying the gold check.
Consequently, the Twitter crypto space is now saturated with phishing scams. One can rarely go a day without encountering one, increasing the risk of falling for such scams.
Context
It must be said, that the state of the crypto market in 2023 really helped those fraudsters score big.
The beginning of the year 2023 was still entrenched in the crypto winter, creating perfect victimization conditions, with distraught and weary retail investors on the lookout for THE opportunity that would allow them to redeem themselves, while simultaneously having most of their coins sitting in their wallets out of fear of losing even more.
The crypto winter was succeeded by an ongoing crypto spring, which also created favorable settings for fraudsters, with the community trying to get into new explosive trends, causing pretty intense FOMO. This was notably illustrated during the meme coins season triggered by the $PEPE coin, when $PEPE’s market capitalization surpassed $1 billion in May.
Impunity
But, what is most likely to explain the success of running phishing scams in the crypto space among crypto criminals, is the absoulte lack of judiciary consequences for the scammers.
They enjoy total impunity.
Not only their victims are scattered around the world, making it hard to mobilize police and justice on their cases, they master obfuscating methods that allowed them to hide away their ill-gained funds, and their identity.
To be able to trace them back, and even hope to bring them to court, blockchain forensics and international police cooperation is needed.
The probability of such much ressources being mobilized for a person who misclicked are close to none.
Creating the perfect criminal landscape.
Although prolific SAAS like Monkey Drainer and Inferno Drainer have ‘retired’ after an almost $100 million crypto heist, other drainers are still up and running, and new ones are sure to emerge, aiming to steal a slice of the crypto phishing pie. They promise to make 2024 a bountiful year for crypto phishing fraudsters.
SAAS have opened the phishing Pandora’s box, and no one knows how to close it back down.
About us
Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.
Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.
Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.
